COBIT Whitepaper by ITpreneurs

IT Governance and Strategy

Increasing IT Value and Reducing Risk More for Less with COBIT5

IT Governance and Strategy

COBIT 5 the Next Evolution 2

IT Governance and Strategy

COBIT® 5 Released in April 2012 COBIT5 is the eagerly awaited guidance from ISACA on IT Governance. It is a comprehensive framework of globally accepted practices that will help enterprise leaders realize benefits from IT while optimizing risks and resources. In this article, Gary Hardy, lead developer of COBIT5 and one of the originators of the COBIT initiative, as well as leader of the Deloitte IT Governance Centre of Excellence; highlights the key benefits of COBIT5, the strategies for adopting the new guidance and how it helps deal with current issues. The first three publications will be: • COBIT5 Framework, which explains the COBIT5 design principles and approach and the COBIT5 enablers for governance of enterprise IT. • COBIT5 Enabling Processes, which describes the COBIT5 process model and provides all the process related content for the COBIT5 governance and management processes. • COBIT5 Implementation, which is an update of the “Implementing and Continually Improving IT Governance” publication, aligned to COBIT5.

COBIT5 Features and Benefits • COBIT5 provides a single consolidated framework covering ISACA’s guidance on the governance of enterprise IT. • COBIT5 provides a complete enterprise view of IT governance. IT is pervasive and not limited to technicians or the “IT function”. COBIT5 considers the whole enterprise and considers IT-related governance and management enablers to be enterprise-wide. • COBIT5 provides a holistic view of all of the enablers of IT governance. In the past COBIT had a strong process focus and through these processes referred to items such as skills and organisational structures. This is still the case with COBIT5, but in addition, it considers all the governance and management enablers: Culture and ethics, principles and policies, organisational structures, processes, information for decision making, supporting services, and skills and competencies. • COBIT5 separates governance and management processes with the addition of a new Governance domain with which to evaluate, direct, and monitor practices and activities aligned to ISO/IEC 38500:2008. • COBIT5 provides an updated process model aligned with current available standards and best practices that is more complete and relevant to current technologies and services. There are several new processes and final adjustments to the guidance that will be revealed in the new publications. • The updated COBIT5 Implementation Guidance reflects COBIT5 thinking and provides practical guidance on how to initiate and drive IT governance improvements using COBIT5. • COBIT5 will be supported by a new ISO/IEC 15504 process capability assessment method that will enable more rigorous and repeatable assessments, and will support an accredited assessor scheme to allow enterprises to obtain a formal assessment of their GEIT process capability in the future. This method is now available for COBIT4.1 and it is expected to be available for COBIT5 later in 2012. The Implementation Guide provides an overview of how to use COBIT5 with this approach, and also explains how to continue to do a COBIT4.1 equivalent maturity assessment.

www.ITpreneurs.com IT Value Optimisation More for less

IT Governance and Strategy

Impact on Current COBIT Users COBIT5 represents an evolution and continual improvement of ISACA’s guidance; so previous improvements and current implementation activity can be built upon and developed further. COBIT5 is “forward compatible” and will provide mappings to help understand how the old guidance relates to the new. As always, COBIT should be used together with other standards and best practices to obtain more detailed guidance in specific areas. COBIT5 Foundation and Implementation training will be available soon, as well as a short bridging module.

www.ITpreneurs.com IT Value Optimisation More for less

IT Governance and Strategy

The Deloitte IT Value Optimization Survey 5

IT Governance and Strategy

The Deloitte IT Value Optimization Survey In the second half of 2011, Deloitte conducted a preliminary survey amongst South African CIOs to obtain feedback on the current value being derived from IT spending within their enterprises; and focused it on people, process and technology.

Technology: Effective management of IT assets

Process: Well-managed IT processes

People: Optimized use of human capital

The results highlighted weaknesses in key areas addressed by COBIT5

The Importance of Executive Leadership COBIT5 supports the KING III approach to governance of IT and the importance of the board and executives. KING III emphasizes that business leaders (i.e., board and executive management) need to understand that IT is pervasive and an enabler of strategic business objectives. As such, IT should be viewed as an integral part of the way the enterprise operates. COBIT5 takes a full enterprise view of IT and highlights the role of executives in the new governance domain. Given the current economic climate, there is also increased pressure on business leaders to ensure that their enterprises are able to realize value from IT enabled business changes and optimise IT-related costs. COBIT5 integrates previous VALIT guidance into the new process model. Given its pervasive nature, IT-enabled business change affects the entire enterprise. Often the business process and organizational changes are more challenging than the implemention of new technologies. This is increasingly becoming an issue with new models for sourcing IT services. (e.g., Cloud Computing). People have a significant role to play in delivering business objectives, therefore, retaining adequate skills is critical. COBIT5 has an enhanced “Manage Human Resources” process, and emphasizes skills and competence as a key enabler.

www.ITpreneurs.com IT Value Optimisation More for less

IT Governance and Strategy

The Survey Findings The diagram below summarizes the survey findings from weak to strong responses. It shows that the areas of Human Capital and Investment Management were the weakest areas in the companies surveyed:

COBIT5 introduces several new and updated processes directly covering the weakest areas.

www.ITpreneurs.com IT Value Optimisation More for less

IT Governance and Strategy

Managing IT Investments 8

IT Governance and Strategy

Leadership, often does not have a clear approach of considering IT investments, or a way to monitor or report the potential success of failure of these investments. The Deloitte approach aligns with ISACA’s COBIT5 guidance and focuses on two fundamental IT governance-related questions, “Are we doing the right things?” (the strategic question) and, “Are we getting the benefits?” (the value question). The Strategic Question. Is the investment:

The Value Question. Do we have:

In line with our vision

A clear and shared understanding of the expected benefits

Consistent with our business principles

Clear accountability for realizing the benefits

Contributing to our strategic objectives

Relevant metrics

Providing optimal value, at an affordable cost, at an acceptable level of risk

An effective benefits-realization process over the full economic life cycle of the investment

These principles can be summarized as follows: IT-enabled investments will:

Value delivery practices will:

Be managed as a portfolio of investments

Recognize that there are different categories of investments, which will be evaluated and managed differently

Include the full scope of activities required to achieve business value

Define and monitor key metrics and respond quickly to any changes or deviations

Be managed through their full economic life cycle

Engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realisation of business benefits

Provide optimal value, at an affordable cost, at an acceptable level of risk

Be continually monitored, evaluated and improved

COBIT5 integrates and updates previous VALIT and COBIT4.1 guidance in value management. The Business Case as a Tool for Realizing Value In order to optimize and manage value, a business case should be prepared that defines and articulates the value proposition. The business case should then be maintained and used to manage these investments throughout the full economic life cycle of the initiative. The business case contains a set of assumptions on how value will be created throughout the investment; and is critical to the outcome of the investment program. Few organizations, however, are adept at developing and documenting them in relation to IT initiatives. The aim is to begin by visualizing the desired business outcome and then progress to a detailed description of the required business outcomes, as well as stakeholder roles and responsibilities. Enterprises are more likely to achieve value from their IT enabled investments, where robust and realistic business cases are used. At a minimum, the business case should include the following: • The business benefits targeted, their alignment with business strategy and who in the business functions will be responsible for securing them. • The business changes needed to create additional value. • The investments needed to make the business changes. • The investments required to change or add new IT services and infrastructure. • The on-going IT and business costs of operating in the changed way. • The risks inherent in the above, including any constraints or dependencies. • Who will be accountable for the successful creation of optimal value. • How the investment and value creation will be monitored throughout the economic life cycle, and the metrics to be used.

www.ITpreneurs.com IT Value Optimisation More for less

IT Governance and Strategy

Managing Human Capital 10

IT Governance and Strategy

Given the important role people play in optimizing value from IT across the enterprise, and the difficulty our clients face in retaining appropriate skills, it is important to maximize the investment in human capital. We are living in a fast-changing world with the emergence of new and rapidly changing technologies. Successful enterprises need nimble and flexible workforces with the talent to be able to exploit the opportunities that IT provides. COBIT5 highlights skills and competence as a key enabler of IT governance, and has updated process guidance for managing human resources in the business and IT function. The latest Deloitte Human Capital Trend Report for 2011 is not surprisingly titled, “Revolution/Evolution” emphasizing the sweeping changes to business and new challenges to Human Resource leaders. Deloitte’s 2011 report highlighted four trends that are important in the context of delivering value from IT: 1. Workforce Analytics 2. Technology trends (e.g., SaaS and cloud computing options) 3. From ladder to lattice – corporate ladder giving way to the corporate “lattice” 4. Diversity and inclusion – driving business performance Workforce Analytics Given the pace of change, enterprises need greater foresight — moving from reactive to proactive planning of human resources. Enterprises need to match the skills required to successfully exploit IT opportunities with the skills available. Using predictive modeling to make more effective workforce decisions can be very productive. Workforce analytics involves using statistical models that integrate internal and external data to predict future workforce and talent-related behaviour and events. As resources are becoming more and more limited, analytics are becoming critical in making effective decisions related to: 1. How Human Capital should best be deployed 2. What are the specific factors that drive staff retention on an individual and departmental level 3. IT recruitment 4. Training and development strategy Human Capital and Technology Trends Delivery of value from new technologies such as cloud computing requires a clear understanding of the necessary organizational and process changes. HR management has an important role to play in helping to understand how to best deploy human resources to deliver a return on investment to achieve lower costs and scalability, dealing with deployment challenges, and making implementation and financial choices. From Ladder to Lattice The corporate ladder, one-size-fits-all view of managing work and leading people is becoming outdated. Today’s workplace is not what it used to be, especially given fast-changing technologies. The pace of change is faster. Organizations are flatter. Work is more virtual, collaborative, and project-based. The workforce isn’t what it used to be either. The corporate ladder is collapsing; the corporate lattice is emerging. Enterprises are moving away from people fitting company roles to dynamic lattice career pathways maximizing human potential. This enables a nimble response to technology trends, and helps to grow and retain staff. Diversity and Inclusion – Driving Business Performance Rather than focusing on recruiting new skills, enterprises should concentrate on maximizing the skills of the people they have. Not only can this save recruitment costs, but it can also unlock untapped potential. Delivering value from IT is not solely based on technical skills, but also on a wide array of other competencies such as organizational insight, personality, work styles, etc. Enterprises should retain their staff by growing skills and developing diverse talents. Given the fast pace of technological change, enterprises need to think beyond employees and team up with vendors — adopting a partner model.

www.ITpreneurs.com IT Value Optimisation More for less

IT Governance and Strategy

Contacts 12

IT Governance and Strategy

Gary Hardy

Risk Advisory | IT Governance Centre of Excellence Tel: +27 (0)82 857 0727 Email: gahardy@deloitte.co.za

Laurens Gunneweg

Product Manager | ITpreneurs Tel: +31 (0)10 71 10 260 Email: laurens.gunneweg@itpreneurs.com